Source: mG0CUyFnyP.elf |
Malware Configuration Extractor: Gafgyt {"C2 url": "94.156.79.48:23"} |
Source: mG0CUyFnyP.elf |
ReversingLabs: Detection: 65% |
Source: mG0CUyFnyP.elf |
Virustotal: Detection: 60% |
Perma Link |
Source: /tmp/mG0CUyFnyP.elf (PID: 5479) |
Opens: /proc/net/route |
Jump to behavior |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 94.156.79.48 |
Source: global traffic |
DNS traffic detected: DNS query: daisy.ubuntu.com |
Source: ELF static info symbol of initial sample |
Name: vseattack |
Source: classification engine |
Classification label: mal80.spre.troj.linELF@0/0@2/0 |
Source: /tmp/mG0CUyFnyP.elf (PID: 5479) |
Queries kernel information via 'uname': |
Jump to behavior |
Source: mG0CUyFnyP.elf, 5479.1.00007fffa9565000.00007fffa9586000.rw-.sdmp, mG0CUyFnyP.elf, 5481.1.00007fffa9565000.00007fffa9586000.rw-.sdmp |
Binary or memory string: xO5A*x86_64/usr/bin/qemu-mipsel/tmp/mG0CUyFnyP.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mG0CUyFnyP.elf |
Source: mG0CUyFnyP.elf, 5479.1.00005625cb5d6000.00005625cb65d000.rw-.sdmp, mG0CUyFnyP.elf, 5481.1.00005625cb5d6000.00005625cb65d000.rw-.sdmp |
Binary or memory string: /etc/qemu-binfmt/mipsel |
Source: mG0CUyFnyP.elf, 5479.1.00005625cb5d6000.00005625cb65d000.rw-.sdmp, mG0CUyFnyP.elf, 5481.1.00005625cb5d6000.00005625cb65d000.rw-.sdmp |
Binary or memory string: %V!/etc/qemu-binfmt/mipsel |
Source: mG0CUyFnyP.elf, 5479.1.00007fffa9565000.00007fffa9586000.rw-.sdmp, mG0CUyFnyP.elf, 5481.1.00007fffa9565000.00007fffa9586000.rw-.sdmp |
Binary or memory string: /usr/bin/qemu-mipsel |
Source: Yara match |
File source: mG0CUyFnyP.elf, type: SAMPLE |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 |
Source: Initial sample |
User agent string found: Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 |
Source: Yara match |
File source: mG0CUyFnyP.elf, type: SAMPLE |